Disguise PHAR packages as images

11th Sep 2018

US BlackHat 2018 proved that is possible to obtain RCE from a PHAR package, moreover, by tweaking its binary content, it's possible to disguise it as a full valid image, bypassing security checks.
Let's see how.

Breaking PHP internals

A vulnerable application allows an attacker to load arbitraty PHP classes by sending out specially crafted requested.
Exploiting PHP autoloader we can turn it into a Local File Inclusion.

Manually craft blind SQL injections

How to leverage search results to exfiltrate database information using a blind SQL injection.

Searching for XSS found LDAP injection

5th Jun 2018

While searching for bugs on target website, I decided to check if it was vulnerable to blind XSS.
It turns out that the system was vulnerable to LDAP injection.

CSRF token steal in Joomla

In this post we will see how you can bypass upload filters in Joomla and deliver a payload to steal victim session token.
With a little of effort, it's possible to trick a Super User to visit a malicious page and force him to create a new Super User for us.